内部威胁检测中用户属性画像方法与应用  被引量：5

作　　者：钟雅 郭渊博[1] 刘春辉 李涛[1] ZHONG Ya;GUO Yuan-bo;LIU Chun-hui;LI Tao(Cryptography Engineering Institute,Information Engineering University,Zhengzhou 450001,China;Unit 61213 of The Chinese People’s Liberation Army,Linfen,Shanxi 041000,China)

机构地区：[1]信息工程大学密码工程学院,郑州450001 [2]中国人民解放军61213部队,山西临汾041000

出　　处：《计算机科学》2020年第3期292-297,共6页Computer Science

基　　金：国家自然科学基金(61501515)~~

摘　　要：随着信息技术与互联网技术在企业组织中的广泛应用,企业安全面临着前所未有的挑战。大多数企业既面临着企业外部的攻击,也面临着内部人员的内部攻击。由于缺乏及时有效的检测手段,内部攻击对企业和组织造成的损害在一定程度上比外部攻击更加严重。在组织和企业内部,“人”是实施破坏行为的主体,是内部威胁检测中的主要研究对象。针对现有内部威胁检测中对内部员工完全隔离监管方法的相似威胁检测关联性低、检测效率低等问题,文中把研究重点从发现诱因转移到相似用户的聚类和监管上,以组织内的用户作为研究主体,提出了内部威胁检测中用户属性画像方法。该方法首先定义了画像相似度计算方法;然后,从用户性格、人格、过往经历、工作状态、遭遇的挫折等多方面着手,利用本体理论、标签式画像方法将多因素整合;最后,通过改进的K-Means算法实现用户聚类与分组管理,实现了潜在恶意用户共同监管的目的,减少了相似破坏多次发生的可能性。实验结果证明了所提方法的可行性,其为组织预防内部威胁提供了思路和方法。With the widely use of information technology and Internet technology in enterprise organizations,enterprise information security faces unprecedented challenges.Most companies are faced with both external and internal attacks.Due to the lack of timely and effective detection methods,the damage caused by internal attacks is more serious.As the conductor of malicious behaviors in organization and enterprise,human is the research object in insider threat detection.Aiming at the low correlation and low detection efficiency of the similar threat detection for the existing insider threat detection method,user attributes profiling method was proposed.In this paper,users in the organization were taken as the research subject,and the clustering and supervision of similar users were mainly studied.Firstly,the method of calculating the similarity of portraits is defined.Then,the ontology theory and tabular portrait method were used to integrate multiple factors,such as user personality,personality,past expe-rience,working status,and setbacks.Similar users are clustered and managed in group by improved K-Means method,achieving the purpose of joint supervision on potential malicious ones,which reduces the possibility of similar damage occurring.Experimental results show that the proposed method is feasible and makes a way to combat the insider threat.

关 键 词：企业安全 内部威胁 用户画像 群组管理 相似度计算 K-MEANS 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]